International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com)
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
Empirical Study on the Status of Moroccan Information Systems and Proposition of Approach for Choice of Best Practices for Good IT Governance Y.Sekhara, H.Nahla, S.Elhasnaoui, M.Chergui, A.Chakir, H.Medromi Laboratory of Informatics, System and Renewable Energy, Hassan II University - ENSEM, Casablanca, Morocco Abstract—Today, the function of the chief information officer (CIO) has become part of the flow charts of many Moroccan companies [1]. Based on this statement, we did an empirical study in the first part of this work on the state of information systems (IS) Moroccan to know their strengths and weaknesses. The aim of the second part is to propose an approach based on the IT (information technology) frameworks helping CIOs to form their own repository of good practices to be applied in order to have good IT governance. Keywords— Information system, IT Governance, IT framework Empirical study of Moroccan IS. I. INTRODUCTION To improve the IT governance of any organization, the IT department is often on the initiative. En effet, le but d'un service informatique est non seulement de rester au service des départements d'affaires, mais plutôt de les guider de manière proactive pour la bonne utilisation des technologies. The IT departments have many challenges in a context of significant pressure on IT budgets: choosing the right projects, helping to arbitrate between the different business projects consistent with the business strategy, supporting the short term while now investments and infrastructure guidelines for the long term... and of course delivering services with ever increasing quality levels in response to the demands of customers and users. The IT department must develop a strategy, propose suitable business processes and connect them to service quality measures. [2] The Moroccan organization; as everywhere in the world; knows a digital transformation. One of the most important issues that are facing CIOs is to find a way to properly conduct the transformations imposed on them [3]. In this study; we discover the state of the information systems of Moroccan organizations based on a survey conducted with 51 organizations' managers of high level, In this study ; we discover the state of the information systems of Moroccan organizations based on a survey conducted with 51
www.ijaems.com
organizations' managers of high level , between companies of different sizes, governments and other organizations from various sectors, and then we propose an approach that allows CIOs to find the best practices from the best-known frameworks in the world of IT governance II. STATE OF ART A. IT governance The concept of governance is ubiquitous today: global governance, European governance, national governance, corporate governance, sector governance, internet governance. Whenever actors want to exercise power over a system, whatever it is, they evoke the notion of governance. [4] A broad and descriptive definition of governance is to consider it describes how a system is directed and controlled. To meet the constant need for change and improvement of IT linked to a requirement increasingly strong of clients; leaders of IT department are interested more and more in the IT governance , the procedures and process to control the IS [5]. The IT governance covers 5 areas [6]: • Value delivery • Strategic alignment • Resource management • Risk management • Performance management There are a large number of frameworks that reflect the best practices developed over the years, their adoption has become essential to have the results expected by the organism B. Literature of important IT frameworks COBIT [7] is a globally accepted set of tools that executives and IT professionals can use to ensure that IT operations are aligned with business goals and objectives. It was initially created by the Information Systems Audit and Control Foundation (ISACF) in 1996 as part of the Committee of Sponsoring Organizations of the Treadway
Page | 929
International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com) Commission (COSO) evaluation framework. The IT Governance Institute (ITGI), which founded by ISACA in 1998, released the third edition of COBIT in 2000; the fourth edition was released in 2005, and was revised as 4.1 edition in 2007. Released in 2012, COBIT 5 is the newest framework. The discussion of this research focuses on COBIT 4.1 as it lays the foundation of COBIT framework and is more widely used. In addition, a large part of COBIT 5 refers back to COBIT 4.1. According to ITGI, COBIT 5 is developed by consolidating and integrating the COBIT 4.1, Val IT1 and Risk IT2 into one single business framework. Each of COBIT‘s IT processes has a process description and a number of control objectives. COBIT classifies generic IT processes into main domains. The control objectives are identified by a two-character domain reference (such as PO, AI, DS and ME) plus a process number and a control objective number. COBIT 4.1 has 34 high level processes that cover 222 control objectives categorized in four domains, which are mapped and aligned with traditional IT development concept of Plan, Build, Run and Monitor: • Plan and Organize (PO) • Acquire and Implement (AI) • Deliver and Support (DS) • Monitor and Evaluate (ME) ITIL (Information Technology Infrastructure Library) is the most widely accepted approach to IT service management in the world. The IT Service Management ITIL is based on five groups of activities (each containing its multiple processes) to manage the service throughout its life cycle[5]; the five phases are[8]: • Service Strategy: The phase of strategic planning of service management capabilities, and the alignment of service and business strategies. • Service Design : The phase of designing and developing appropriate IT services, including architecture, processes, policy and documents; the design goal is to meet the current and future business requirements • Service Transition : The phase of realizing the requirements from previous stages, and improving the capabilities for the transition of new and modified services to production • Service Operation: The phase of achieving effectiveness and efficiency in providing and supporting services in order to ensure value for the customer and the service provider. • Continual Service Improvement : The phase of creating and maintaining the value for the customer by design improvement, and service introduction and operation In the ITIL framework, the quality of service is based on a structure of measurable possible repeated activities in
www.ijaems.com
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
interrelated processes. This approach to service management by process is now recognized as the most effective by a large number of companies. A process consists of several activities generating results to clients. It is called after a trigger event. A well-studied process must achieve the objectives, using optimal time, money and resources. A process is provided by roles and not directly by the people, what makes this notion generic and independent of the organization ISO/IEC 27002: The goal of ISO/IEC 27002:2005[9] is to provide information to parties responsible for implementing information security within an organisation. It can be seen as a best practice for developing and maintaining security standards and management practices within an organisation to improve reliability on information security in interorganisational relationships. It defines 133 security controls strategies, under 11 major headings. The standard stresses the importance of risk management and makes it clear that it is not necessary to implement every stated guideline, only those that are relevant. The guiding principles in ISO/IEC 27002:2005 are the initial points for implementing information security. They rely on either legal requirements or generally accepted best practices. Measures based on legal requirements include: • Protection and non-disclosure of personal data • Protection of internal information • Protection of intellectual property rights Best practices mentioned in the standard include: • Information security policy • Assignment of responsibility for information security • Problem escalation • Business continuity management CMMI (Capability Maturity Model Integration) [10] is a framework that defines and measures processes and practices. CMMI is a proven technique for performance management CMMI Institute, 2013. Organizations using CMMI can predict cost, schedule and quality within business results that separates it from other frameworks and models. CMMI has 3 core areas of interests: acquisition, services and development which consists of 22 processes, out of which 16 are core processes. III. EMPIRICAL STUDY OF MOROCAN IS A. Objective Of the Study The objective of this study is to examine the state of IS in various Moroccan organizations and discover their strengths and weaknesses. B. Study Hypothesis and Methodology In recent years Moroccan organizations have realized the importance of IT and its role to accelerate the country's economic development [3]. However the perception of
Page | 930
International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com) Operation and maturity of the IT department by the other parts of company is not the same in all organizations. To validate this hypothesis we conducted this study on Moroccan IS. Based on a sample of 51 organizations working in 10 different sectors this survey was conducted by answering a questionnaire composed of 45 questions of which 18 relate to the use of IT in the organization studied. This question allowed to discover the positioning of IS within the organization and identify its main characteristics. C. Studied topics The questionnaire focused on several topics: • Business activities • IS Existence • Budget of IT department • size of IT department • Cost of IS • IT Department response time • adaptability of IS • strengths of IS • weaknesses of IS
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
D. Study Analysis By analyzing the data, it appears that the organizations participating in the survey are as follows (the sectors are classes of Moroccan Nomenclature of Economic Activities) Table1: Sectors of Participating Organizations Nb. cit. Fréq.
Business Activities
Manufacturing industry 9 17,0% Production and supply of electricity, gas, vapor and airconditioning 1 1,9% Construction (Building, public works) 2 3,8% 4 7,5% Trade, repair of automobile and motor bicycles 6 11,3% Information and communication Financial activities and of insurance 12 22,6% Activities of administrative departments and support10 18,9% Public administration (Prefecture, municipality, district) 1 1,9% Education (primary, secondary, upper, public, private) 5 9,4% Human health and social action (Hospitals, private hospitals) 3 5,7% TOTAL CIT. 53 100%
The table2 shows the presence of IS in the various companies according to sectors, we remark that the SI is essential in some sectors such as information and financial sector companies while some sectors know total or partial absence of IS; but in general we can say that the IS has an important place in most sectors
Table.2: Existence of IS Production Construction a Trade, repair Information Financial a Activities of Public admi Education Human TOTAL Business ActivitiesManufacturin g industry nd supply of (Building, p of nd communi activities and administrativ nistration (Pr (primary,health and electricity,ublic g works) automobile cation of insurance e departmen efecture, mu secondary, social action as, vapor an and motor ts and suppo nicipality, disupper, (Hospitals, d airconditio bicycles rt trict) public, private ning private) hospitals) IS Existance Yes 88,9% No (Go to Q45-Validation) 11,1% TOTAL 100%
100% 0,0% 100%
0,0% 100% 100%
0,0% 100% 100%
100% 0,0% 100%
100% 0,0% 100%
IT departments of the participating organizations are of different sizes (fig1) and operate with a budget ranging from less than 1 million to + 100.000 Mdhs (Moroccan dirhams) (Fig2)
80,0% 20,0% 100%
100% 0,0% 100%
60,0% 40,0% 100%
100% 0,0% 100%
79,2% 20,8% 100%
Budget of IT departement
Less than 100,000 MAD from 100,000 to 500,000 MAD 500.001-1.000.000 MAD
size of IT department
33,3%
+ 1.000.000 MAD
38,5% Less than 10 persons 10 to 20
29,3%
more than 20
36,6%
17,9%
34,1%
Fig.1: Size of IT department
www.ijaems.com
10,3%
Fig.2 : Budget of IT department We can explain this difference by the diverse needs of organizations to its IS and the necessity of using IT to
Page | 931
International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com) accomplish business tasks as shown in the graph, and this explains the indispensability of the IS in the financial and IT sectors as mentioned in the explanation of the second table. Table.3: cost of IS
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
We notice more than the cost of IS becomes higher that the response time becomes shorter and adaptability becomes better; this shows that organizations are looking for quality of IT service in the increased spending which explain why they consider the IS as a burden. This graph (fig3) shows the IS weaknesses according to the size of IT department: we find more weaknesses where there are more people, for example it is getting slower and more complicate. Fig.3: Relation Between Size and Weeknesses size of IT department x weaknesses of IS 12 Less than 10 persons 17 10 to 20 23 more than 20
By analyzing the responses to the question "How do you assess the level of the cost of IS in relation to IT service level offered?� We got the table on the left (Table3) which shows that except 22.5% who consider that the cost is not high at all, the majority considers that the IS presents a burden for the enterprise; and this regardless of the budget for the IS as shown in the chart at right (Table4 ). Table.4:Relation betwenn Cost of IS and Budget Budget of IT departement Less thafrom 100500.001+ 1.000. TOTAL n 100,00,000 to 5-1.000.0 000 MA 0 MAD 00,000 00 MAD D MAD Cost of IS High 6,7% 25,0% 100% 0,0% 14,3% moderately high 33,3% 75,0% 0,0% 30,8% 34,3% little high 33,3% 0,0% 0,0% 30,8% 25,7% not high 26,7% 0,0% 0,0% 38,5% 25,7% TOTAL 100% 100% 100% 100% 100%
We can determine the cause of this perception by analyzing the IT department response time to requests from other departments and its adaptability according to the cost; the following tables 5&6 show the results. Table5: Relation Between Cost of IS and Response Time
Complicated
Slow
Saturated
Limited
other : ...
i do not know
To remedy the problems faced by the efficient operation of IS within a company, CIOs try to implement the standards that reflect the best practices developed over the years; but each one of them has a particular concern: risk management, service management, audit, project development, etc. The adoption of multiple frameworks allows an organization to exploit the synergies between them and overcome weaknesses of a framework by the strengths of others. CIOs are so many to have defined their own "internal reference" (which can be a kind of amalgam of multiple repositories and characteristics specific to the company). A selective approach is needed to get the better of each repository to meet the managerial needs of the IS; the wrong choice can cause problems instead of being a solution. We propose an approach for CIOs to define IT objectives declined from the global strategy of the company and to find the best framework for each objective. C. PROPOSED APPROACH FOR THE CHOICE OF BEST PRACTICES The standards of good practices represent a strong lever to facilitate internal membership. It is also appropriate to use more than a standard wisely, each in the area where it is most appropriate. For efficient utilization we propose a 4step approach (fig4).
Table.6: Relation Betwenn Cost of IS and Adaptability
www.ijaems.com
Page | 932
International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com)
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
After designating the process of COBIT to apply in IS, the aim of the second phase is to study the implementation of these processes by the different frameworks and we require that each area of governance must be represented at least by one framework (PMBOK for project management, ITIL for service management ...) and this in order to implement the various activities that make up the COBIT process. Step3: Calculating implementation levels After knowing what are the standards that treat each process we will focus on each process and compare the different implementations. We will associate with each framework what we call the "implementation level" indicates how this framework implements the process of COBIT, this implementation level is the number of requirements mapped to the process of COBIT should be implemented Step4: Comparison and choice The next step after calculating the levels of different standards is to compare them to know what standard to choose; the framework with highest level will be selected to implement the process of COBIT. The result of applying this approach to all COBIT processes gives us the best practices to apply in our information system to achieve the intended objectives; we can say we formed our own repository.
Fig.4: Proposed Approach Step 1: Strategic alignment Alignment is defined as "the ability to demonstrate a positive relationship between IS and the financial measures of the recognized performance"[11]. The alignment of information systems to business strategy is one of the fundamental challenges for the practice and science of today. It is a topic that is increasingly considered by the different information management approaches. For this stage, our approach is based on COBIT to effectively translate the strategic objectives of the business to a consistent set of IT objectives, themselves fed by a set of COBIT processes. COBIT provides correspondence tables to identify all IT objectives declined from each business objective, and then COBIT processes declined from each IT objective [12]. The correspondence tables between business goals and IT goals and, between IT goals and processes, present an instant use roadmap for the reader COBIT is independent of the technical IT platforms adopted in an organization, it focuses on what is necessary to achieve adequate management of IS, and is positioned at a high level. COBIT has been aligned and harmonized with other, more detailed, IT standards, it acts as an integrator of these good practices. Step2: Designating the frameworks
www.ijaems.com
III. CONCLUSION In these papers we started by showing the importance of the IT governance and presented some IT frameworks; Then we saw the main results of the study on the state of IS in various Moroccan organizations. We finally propose a method to guide CIOs make the right choice of best practices to apply. We intend to build an automated solution based on this approach to facilitate the steps of designation, calculations and choices that may be considered as complicated tasks.
[1] [2] [3]
[4] [5]
[6]
REFERENCES Jankari consulting/AUSIM . Annuaire des directeurs des systèmes d’information au maroc – (edition 2011) it-expert (novembre décembre 2008) AUSIM . L’entreprise numérique : opportunités et défis pour le maroc d’aujourdhui et de de demain Bilan des Assises de l’Ausim 2012 Cigref. Gouvernance du système d'information : Problématiques et démarches (novembre 2002) Youssef SEKHARA, Hicham MEDROMI and Adil SAYOUTI, “Multi-Agent Architecture for Implementation of ITIL Processes: Case of Incident Management Process” International Journal of Advanced Computer Science and Applications(ijacsa), 5(8), 2014 IT Governance Institute (ITGI). (2003). Board briefing on IT governance (2nd Ed.).
Page | 933
International Journal of Advanced Engineering, Management and Science (IJAEMS) Infogain Publication (Infogainpublication.com)
[Vol-2, Issue-7, July- 2016] ISSN: 2454-1311
[7] IT Governance Institute: COBIT® 4.1 [8] itSMF France ―ITIL : Information Technology Infrastructure Library‖. [Online]. Available: http://www.itilfrance.com [9] Software Engineering Institute. CMMI® for Development, Version 1.3 [10] ISO, 2013. ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management [11] Paul A. Strassmann .What is Alignment?. Cutter IT Journal, August 1998. [12] Solucom. Les référentiels SI : comment s’en servir ?.(Mai 2009)
www.ijaems.com
Page | 934